RSAC Concerned a new recruit might be a North Korean stooge out to steal intellectual property and then hit an org with malware? There is an answer, for the moment at least.
According to Adam Meyers, CrowdStrike's senior veep in the counter adversary division, North Korean infiltrators are bagging roles worldwide throughout the year. Thousands are said to have infiltrated the Fortune 500.
They're masking IPs, exporting laptop farms to America so they can connect into those machines and appear to be working from the USA, and they are using AI – but there's a question during job interviews that never fails to catch them out and forces them to drop out of the recruitment process.
"My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative about that," he told a panel session at the RSA Conference in San Francisco Monday.
Meyers explained the North Koreans will use generative AI to develop bulk batches of LinkedIn profiles and applications for remote work jobs that appeal to Western companies. During an interview, multiple teams will work on the technical challenges that are part of the interview while the "front man" handles the physical side of the interview, although sometimes rather ineptly.
"One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it." But it works enough that quite a few score the job and millions of dollars are being funneled back to North Korea via this route.
Once placed in the coveted role, such workers are usually very successful in the company, since they have multiple people working on one job to produce the best work possible - with the hope of getting a promotion and more access to the business' systems - explained panelist FBI Special Agent Elizabeth Pelker.
"I think more often than not, I get the comment of 'Oh, but Johnny is our best performer. Do we actually need to fire him?" she said.
The aims of these phony workers are two-fold, she explained. Firstly, they earn a wage and use their access to steal intellectual property from the victim. This is usually exfiltrated in tiny chunks so as to not trigger security systems.
One mitigation strategy, she said, was to insist that any interviewee performed coding tests within the corporate environment. These allow the actual IP being used to get checked, interviewers to see how often the prospect is switching between screens, and can allow other clues to leak out that all is not as it seems.
If the interloper is exposed and fired, however, they will usually have already collected login details, planted unactivated malware, and will then attempt to extort the maximum they can from the victim. She urged anyone who spots a fake employee to contact their local FBI field office immediately.
The Red Queen's race
But the attackers are getting smarter, and in some ways the FBI is a victim of its own success.
The agency has been distributing advice to US companies but these memos are also being read in Pyongyang and the workers are adapting their tactics. This sometimes involves using both aware and unwitting accomplices.
For example, to get around the IP address problem, laptop farms are springing up all over America. If an applicant gets a job, the firm will usually send him a laptop, at which point the interviewee explains that they've moved or have a family emergency, so could they send it to a new address please?
- North Korea's fake tech workers now targeting European employers
- Arizona laptop farmer pleads guilty for funneling $17M to Kim Jong Un
- US 'laptop farm' man accused of outsourcing his IT jobs to North Korea to fund weapons programs
- North Korean dev who renamed himself 'Bane' accused of IT worker fraud caper
- Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil
- I'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice
- North Koreans clone open source projects to plant backdoors, steal credentials
This is most likely a laptop farm, where someone in the US agrees to run the laptop from a legitimate address for a fee, typically around $200 a computer, according to Meyers. Last year the FBI busted one such operation in Nashville, Tennessee, and charged the operator with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens.
Rather than creating identities, the North Korean workers have now taken to either stealing the ones they want, or fooling people into handing them over for a good cause. There's a growing business in Ukraine of convincing people to share their identity with third parties under the pretext of using them against Chinese agents who are propping up Russia.
"Unfortunately, because this is supporting North Koreans, the money then goes back through to filter through to North Korea regime," said Chris Horne, senior director at jobs site Upworthy. "Then, in turn, it goes to support the troops that come back in through Russia. So they're basically paying for their own demise in Ukraine right now."
We've also seen deepfake job interviewees that are good enough to fool IT professionals, sometimes more than once. This technology is only improving and will get more and more convincing, Pelker warned.
The key to fixing this, the panelists agreed, was to educate everyone in the interview process – right down to the lowest staffer – and to be hyper vigilant for warning signs. If possible, they said, one should have someone local swing around for a personal meeting, and maybe also avoid hiring fully remote employees. ®
Digital scammers and extortionists bilked businesses and individuals in the US out of a "staggering" $16.6 billion last year, according to the FBI — the highest losses recorded since bureau’s Internet Crime Complaint Center (IC3) started tracking them 25 years ago.
Also in 2024: Ransomware again posed the biggest threat to critical infrastructure organizations, with the number of complaints to the IC3 increasing nine percent compared to the year prior.
"These rising losses are even more concerning because last year, the FBI took significant actions to make it harder, and more costly, for malicious actors to succeed," wrote B. Chad Yarbrough, the FBI's operations director for criminal and cyber, in the 2024 IC3 report [PDF] out now.
Yarbrough cited the "serious blow" the Feds dealt to LockBit, and the "thousands" of decryption keys that the federal cops have made available to ransomware victims since 2022.
And yet the scourge continues.
America's cyber defenses are being dismantled from the inside
The FBI and IC3 track extortion and ransomware as two separate categories, and in 2024 extortion was the second-most frequently reported cybercrime overall with 86,415 complaints. For comparison, the top crime type last year, phishing and spoofing, generated 193,407 complaints. Ransomware was further down the list with 3,156 reports. But that's up from 2,825 incidents in 2023, and 2,385 in 2022.
The report found Americans lost $143.2 million to extortion scams and $12.5 million after ransomware infections. The FBI noted that the ransomware losses may be under-reported, and do not include the financial impact of lost business, time, wages, files, equipment, or third-party incident response and remediation services brought in to clean up the mess.
"In some cases, entities do not report any loss amount to FBI, thereby creating an artificially low overall ransomware loss rate," the report adds. "Lastly, the number only represents what entities report to FBI via IC3 and does not account for the entity directly reporting to FBI field offices/agents."
Top 5 targeting critical orgs
America's critical infrastructure operators reported almost 4,900 cybersecurity threats last year, with ransomware (1,403 complaints) topping the list. The five most reported ransomware variants: Akira, LockBit, RansomHub, Fog, and PLAY.
LockBit's top spot on the FBI list echoes the findings of Cisco Talos' most recent year in review report, which also credited LockBit as the most active ransomware-as-a-service (RaaS) group, accounting for 16 percent of the claimed attacks in 2024.
"For us, that's pretty remarkable, given how dynamic that space is where you're seeing groups you shut down, or rebrand, or new groups emerge, or law enforcement action being taken," Kendall McKay, strategic lead at Talos, told The Register, in an earlier interview. "To see LockBit stay at the top for such a long time really caught our attention this year."
- How cops taking down LockBit, ALPHV led to RansomHub's meteoric rise
- Ransomware crews add 'EDR killers' to their arsenal – and some aren't even malware
- Fog ransomware channels Musk with demands for work recaps or a trillion bucks
- Who needs phishing when your login's already in the wild?
The Talos report noted that LockBit's builder software – a tool used to create custom versions of the malware – was leaked in September 2022, and this likely contributed to the ransomware's prevalence.
Two of the other biggest threats in 2024 also trace some of their success to the LockBit takedown.
Security researchers suspect both Akira and RansomHub (believed to be a Knight ransomware rebrand) both benefited from the LockBit and ALPHV/BlackCat disruption, recurring those crews' top talent into their own affiliate rosters.
In addition to the tried-and-true malware families, IC3 recorded 67 new ransomware variants in 2024, with the most reported being Fog, Lynx, Cicada 3301, Dragonforce, and Frag.
There is a slight silver lining in the report's ransomware statistics. While complaints have been on the rise, costs have dropped. In 2024, reported ransomware losses reported to IC3 totaled $12.5 billion, compared to $59.6 billion in 2023 and $34.4 billion in 2022. ®
RSAC The biggest threat to US critical infrastructure, according to FBI Deputy Assistant Director Cynthia Kaiser, can be summed up in one word: "China."
In an interview with The Register during RSA Conference, she said Chinese government-backed crews are testing out AI in every stage of the attack chain. This isn't to say that they're succeeding, but it does make them "more efficient, or might make them a little faster," Kaiser added.
The ongoing threat from Beijing-backed digital intruders burrowing into America's critical facilities likely isn't a huge shock to anyone who can name at least two of the Typhoons that have come to light between last year's RSAC and this year's infosec event.
By now, most people are aware of the sophistication and stealth with which Beijing's snoops move around critical government, telecommunications, energy, and water networks, sometimes for years before being detected.
Volt Typhoon, for example, infected hundreds of outdated routers to build a botnet and break into US critical infrastructure facilities, all the while readying destructive cyberattacks against those targets.
And another Chinese espionage crew, Salt Typhoon, compromised at least nine US telecommunications companies and government networks last year, before attempting to exploit more than a thousand internet-facing Cisco devices as recently as January.
These and other agents working on behalf of the Chinese government break into American networks through "unsophisticated means, or especially end-of-life devices," Kaiser told The Register.
"We see them coming in, oftentimes, through unpatched vulnerabilities or an unpatched device, and then when they get onto a system it's very quiet," she said.
FBI agents who responded to China's Volt Typhoon intrusions and visited some of the energy and other compromised facilities "will talk about how deftly the Chinese navigated an internal system, coming in through a business network to get to the operational side," Kaiser noted. "That's what we saw with Salt Typhoon as well: being able to move laterally and navigate, taking their time to get the access they want."
One of former FBI Director Christopher Wray's favorite warnings was that China has 50 dedicated hackers for every one of the bureau's cyber-focused agents – and that was well before the Trump administration returned to the White House and slashed federal budgets and employees from the payroll.
So it would seem that America is only making it easier for Chinese operatives to do their job.
'Business as usual'
But when asked how the recent government changes have affected the FBI's ability to respond to cyberthreats, Kaiser said: "For us, it's really been business as usual."
That business involves responding to nation-state attackers as well as ransomware gangs and other financially motivated cybercriminals, who are increasingly using AI to make their attacks more efficient, faster, and scalable.
"At the FBI, we track AI really closely, in a refined way, to say, over time, which countries are either doing the use case or more frequently integrating it into which part of their operations across the attack life cycle," Kaiser added. "The widest adoption of use cases we've seen is from China and cybercriminals."
This includes using AI to create fictitious business profiles at scale, and using these with the help of large language models to craft more believable spear-phishing messages to use in social engineering campaigns.
- Ransomware scum and other crims bilked victims out of a 'staggering' $16.6B last year, says FBI
- This is the FBI, open up. China's Volt Typhoon is on your network
- Admission impossible: NSA, CISA brass absent from RSA Conf
- How to survive as a CISO aka 'chief scapegoat officer'
Still, the intruders' use is similar to the defenders' in that they are not using AI to launch end-to-end attacks, but rather to make their initial scanning and preparation stages more efficient. "We see a lot of adversaries just trying it out. How could I use AI here? What would it mean there? And it might just mean they've enriched a target campaign, it doesn't mean they've created polymorphic malware that can change when it's on a system," Kaiser noted.
So while the doomsday scenarios that we all heard about at previous RSA Conferences haven't yet morphed into reality, attackers are using AI for more practical purposes.
"The other way that companies need to be worried about AI is that it does help an adversary map a network better," Kaiser said. "So once they've got onto a network, it does help enable where they might want to go."
This is significant because the "first line of defense is: keep adversaries out," she added. "The second one, though, is then ensuring that people can't move around your network."
MFA – or a safe word
In addition to these two uses for AI, the technology also makes it easier for everyone from fake North Korean IT workers and common crooks to create deepfake videos and swindle companies and individuals out of money and steal their sensitive IP.
"Imagine you get a call from your CEO," Kaiser said. "It's on a messaging app you've used before, and it's your CEO sitting in a house where you've seen them many times, and they tell you: I need you to make a wire transfer here, or join an urgent online meeting at this link. A lot of us, me included, would probably do what my CEO told me to do without thinking, could this be fake?"
Criminals are doing this, and using deepfake videos to "swindle millions from businesses as a result," she added. "So it's going to be imperative to add MFA to everything."
For digital systems, this may include an authentication code or biometric data like a fingerprint. But for a scenario when someone at your company appears to be asking you to transfer large sums of money, multi-factor authentication may involve a more low-tech way of verifying someone's identity.
According to Kaiser: "Old-school MFA is having a secret word." ®
